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REMARKS 

Applicant has had! occasion to study the specification in greater detail and has noted 
several inconsistencies and typographical errors as well as several places where acronyms are not 
explicitly spelled out. Applicant herein corrects these minor errors. No new matter has been 
added, but the specification is placed in better condition for publication and public consumption. 

Applicant further botes two typographical errors in claim 1. Specifically a "to" and a ";" 
were missing. Applicant'herein amends claim 1 to include the missing elements. The scope of 
the claim has not change^! by virtue of these amendments, but the presentation of the claim is ^ 



improved. 



CO 



The Patent Ofiicejhas rejected claims 1-23 under 35 U.S.C. § 103 as being unpatentable ^ 
over Iddon et al. Applicant respectfully traverses this rejection. To make a proper obviousness ^ 
rejection, the Patent Office must make a prima facie case of obviousness. A prima facie case of ^ 
obviousness is made when the Patent Office shows where each and every claim element is 
located within the reference. MPEP § 2143.03. When illustrating where each and every claim HI 
element is located, the Patent Office is entitled to give claim elements their broadest reasonable ^ 
interpretation. MPEP §2111. However, this leniency is restricted by at least two countervailing 
concerns. First, the standard is still concerned with a reasonable interpretation. Second, the 

broadest reasonable interpretation is defined to be the plain meaning given to the term by one of 

i 

ordinary skill in the art. MPEP § 2111.01. 

In the present casjj, the Patent Office has adopted an unreasonably broad interpretation of 
certain claim elements thiit someone of ordinary skill in the art would not give the claim 
elements. When the claim elements are given their plain meaning, the Patent Office has failed to 
show where in the reference certain claim elements are located. The Patent Office lumps claims 
1, 2, and 18 together despite varying claim coverage for these claims. They will be addressed 
individually herein. j 

Claim 1 recites transmitting the accounting records to the flow aggregation process. The 
Patent Office opines that this is taught by the references, pointing to column 9, lines 3-10 and 
quoting the same in the Office Action. Applicant respectfully traverses. Applicant defines what 
a flow aggregation procebs does at page 8, line 24-page 9, line 8, In light of this explanation, 
someone of ordinary skill in the art would not construe the flow aggregation process to be 
readable on passing packets up through the various network protocol layers as part of the 
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Iddon et al. does not teacl 



ordinary traffic describedjin coltimn 9, lines 3-10. Rather, someone of ordinary skill in the art 
would recognize that column 9, lines 3-10 refer to ordinary network traffic that is addressed to 
the probe of the reference, This ordinary network traffic is not tied in any way, by the text of the 
reference, to transmitting -the accounting records. In fact, the reference contrasts this sort of 
network traffic with the record collection process described elsewhere in the reference. That is, 
the reference, in the preceding portion of the cited paragraph, indicates that the probe listens to 
all traffic so as to collect jhe information for the network data engine and then contrasts this 
global listening with the Selective communication of when the probe is addressed specifically. 
Thus, the cited passage djjes not teach transmitting the information to the flow aggregation 
process. Since the reference does not teach or suggest a claim element, the Patent Office has not 
made a prima facie case <|if obviousness, and the claim is allowable over the rejection of record. 
Claim 1 is independently patentable for another reason. The Patent Office admits that 
1 the concept of the first and second flow aggregation processes or 
awaiting an acknowledgment signal from the flow aggregation process before discarding the 
accounting records sent tci the flow aggregation process. The Patent Office attempts to address 
this deficiency by quoting; two portions of the reference that have nothing to do with the claimed 
invention. The analysis (joncludes with the more relevant statement "it would have been obvious 

to a person of ordinary skill in the art at the time the invention was made to modify the teachings 

) 

of Iddon" to include the ipissing claim elements "to improve accuracy and the reliability of the 

f 

fault tolerance for network accounting architecture, and provide more functionality by have 
stringent performance retirements, as they require the node to handle all network traffic passing 

the node," This statement does not support the Patent Office's motivation to modify the 

1 

reference. Specifically, the Patent Office is obligated to show why someone of ordinary skill in 
the art would be motivated to modify the reference to arrive at the claimed invention as well as a 
suggestion of how to modify the reference. In the present case, there is no teaching or 
suggestion of how to modify the reference to arrive at the claimed invention. The earlier 
citations of the Patent Office to column 2, lines 45-51 and column 14, lines 9-15 do not provide 
the suggestion as to how the reference may be modified to arrive at the claimed invention. 

Claim 2 specifically recites sending the accounting record to the first and second flow 
aggregation processes. As explained above with respiect to claim 1, this is not taught or 
suggested by Iddon et al. "because- Iddon et al. does not teach or suggest a flow aggregation 
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process as that term is defined in the specification. Rather than merely being inferentially 
claimed as part of the method of claim 1, claim 2 specifically recites the first and second flow 
aggregation processes as part of the claim structure. Thus, it is even more imperative for claim 2 
that the Patent Office sho,w where in the reference the claim element is taught or suggested. The 

w 

Patent Office mistakenly jrelies on certain passages for the suggestion that there are two flow fn 

aggregation processes. Tl|tris has been addressed above. The passages do not teach or suggest ^ 

i 

how to modify the, references to arrive at the claimed invention. ^ 
Claim 1 8 is pateniable for the same reasons that claims 1 and 2 are patentable, and further ^ 
has an independent reason for patentability. Specifically, claim 1 8 recites "determine[ing] an Ej^ 
error relating to the first 1 low aggregation process to cause the aggregate reports from the second ^5 
flow aggregation process to be sent to the accounting module in place of the aggregate reports ^ 
from the first flow aggregation process." The Patent Office fails to show where this claim q 
element is taught or sugg ested in the reference, and further fails to show where the motivation is 
to modify the reference in such a manner that arrives at the claimed invention. Since the element 
is not taught or suggeste< ' and there is no motivation to modify the reference, much less a 
suggestion as to how to modify the reference to arrive at the claimed invention, the claim is 
patentable over the rejection of record. 

Claims 3-17 and J. 9-23 depend from claims 1, 2, and 18 and are patentable at least for the 
reasons that claims 1, 2, find 18 are patentable. 

With respect to cjaims 3 and 12, the Patent Office has not considered the second part of 
the claim. Applicant respectfully traverses the rejection. Specifically, even if Iddon et al. 
determines that the flow segregation process is not operating (a point that Applicant does not 

concede), there is still noj teaching or suggestion that the data collector continues to collect and 

t 

store accounting records |&om the network device for future transmission to that flow 
aggregation process. Siifce the Patent Office has not shown an element, nor has the Patent Office 
shown any motivation to' modify the reference to include the element, the claims are patentable 
over the rejection of record. 

Claims 4 and 19 have limitations similar to that addressed in claim 1 8, and the Patent 
Office fails to identify where in the reference an error relating to the first flow aggregation 
process is located, much less acquiring the data from the second flow aggregation process when 
the first is not functioning;. 
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In short, the Patent Office has failed to establish prima facie obviousness by failing to 

i 

show where each and every claim element is taught or suggested in the references, and Applicant 
is not required to present arguments or evidence of non-obviousness. MPEP § 2142. Applicant 
requests reconsideration c[f the rejection in light of the arguments presented herein and claim 
allowance at the Examiner's earliest convenience. 
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VERSION. WITH MARKINGS TO SHOW rtif ANCTS MADE 



paragraph beginning on page 1, line 5 with the following rewritten 



In the specification: 

Please replace the 
paragraph: 

Data collection systems are used to collect information from network traffic flow on a 
network. These data collection systems are [design] designed to capture one type of network 
traffic from one source type and [delivery] deliver the date to one application type such as a 
billing application,--. \, 

!' 

Please replace the paragraph beginning on page 6, line 13 with the following rewritten 

paragraph: j' 

The accounting process 14 enables users such as an Enterprise or an Internet Service 
Provider to maintain an existing accounting configuration. Information sources can include 
network traffic flow, RADIUS accounting data, RMON/RMON2 data, SNMP-based data, and 
other sources of network lisage data. The accounting process 14 collects data via the flow data 
[collector] collection layer [16] 18 from multiple disparate sources and produces a new type of 
composite records. Thes I new composite records [results is] result in new information which 
provides a source for network accounting, billing, management, capacity planning, and so forth.--. 

i 
i 

Please replace the'paragraph beginning on page 7, line 4 with the following rewritten 
paragraph: j 

Referring now to FIG. 2, the equipment interface layer 16 of the accounting process 14 
includes various equipment interfaces 42a-[42i] 42c which are, respectively, an interface 42a for 
the router/switch 12a, an! interface 42b for the cable/modem head end 12b, and an interface 42c 
for the flow probe 12c. lire equipment interface layer 16 also includes additional interfaces such 
as an interface [12d] 42dj'for a remote access concentrator Ud, an interface [12e] 42e for an 
Extranet switch I2e, an interface 42f for a DNS server 12f, and an interface 42g for a RADIUS 
server 12g. The equipment interface can have additional interfaces that can be specified, as new 
equipment is added. The interfaces 42a-42g can be developed by an interface toolkit 44. The 
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interface toolkit 44 permits a user to construct a new equipment interface type to couple the 
accounting process 14 to anew equipment source type.-. 



Please replace the 
paragraph: 



paragraph beginning on page 8, line 24 with the following rewritten 



The accounting process 14 also includes a flow aggregation [process] processor 60 that is 
part of the aggregation anjl distribution process 17 (mentioned above). The flow aggregation 
[process] processor 60 is a central collection point for all network accounting records [(NAR's)] 
(NARs) produced from vijrioiis data collectors 52a-52g in the flow data collection layer 18. The 
flow aggregation [process \ processor 60 receives [NAR's] NARs from various data collectors 
52a-52g and aggregates, ije., summarizes related information from the received NARs across the 
accounting support arranfjement 10. The aggregation [layer] processor 60 produces Summary 
[NAR's] NARs i.e., enhanced and unique network- accounting records. That is, the flow 
aggregation process aggregates the records across the network devices; whereas, individual data 
collectors 52a-52g can ag gregate accounting records from individual data sources. Aggregation 

will be described below hi FIGS. 14-23.--. 

1 

i 

Please replace thejparagraph on beginning on page 1 0 7 line 2 with the following rewritten 
paragraph: ; 

;3, for the Internet service provider, data collectors 52a-52d (illustrated 

it specific Points of Presence (POP), such as remote access 

i : • 

concentrators 102 manag ed by the Internet service provider. The remote access concentrators 
a]low[,] a mobile Interna user 106 or an Internet user 107 with remote access to access an 
enterprise over the Interact, via the Internet service provider. In this example* the Internet 
service provider arrangement 100 and the large Enterprise arrangements 110 and 120 include 
servers 13, 13', and 13*' that run accounting processes 14, 14' and 14". The accounting 
processes 14, 14* and 1 4V each independently manage and collect information regarding 
network traffic usage— . 



As shown in FIG. 
in Fig. 2") are distributed 



Please replace the paragraph beginning onvpage 12, line 8 with the following rewritten 
paragraph: ,". 
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Referring now to KG. 4, a similar access configuration 100% as the configuration 100 



(FIG. 3) can be used with 



servers, for example. It is 
In this configuration, the 



[in Extranet switch 122. Extranet access allows remote users to dial 
into an Internet service provider (ISP) and reach a corporate or branch office via an ISP. The 
Extranet switch 122 allow:? Internet users access tbjcorporate databases, mail servers and file 

an extension of the Internet in combination with a corporate Intranet. 

I 

Jxtranet switch 122 can be owned and operated by an Internet service 



provider as shown with enteiprise A, or it could, alternatively, be owned and operated by an 



enterprise, as shown with 
enterprise A or enterprise 
protocols such as Layer 2 



Tunneling Protocol fP PT] ') or Internet Protocol Security Q PSecl, and so forth. The accounting 
server 13 located at the s€ rvice provider and also accounting servers 13 M3" within enterprise A 
and enterprise B allow ea ;h the Internet service provider and each of enterprises A and B to run 



accounting process 14', 1 



communication with one 



enterprise B. Users jwould access the corporate network of either 
B, via the Internet servicle provider with various types of tunneling 
Tunneling Protocol £L2TP}, Laver 2 Forwarding (L 2F), Point to Point 



%" on the servers 13f*, 131" to monitor and collect network data- 



Please replace the paragraph beginning on page 13, line 1 with the following rewritten 
paragraph: 

Referring now to S?IG. 5, a graph 140 depiction of a very large scale network includes a 
device "A" 142 communicating with a devicef"B"i 144. The graph 140 includes nodes (not all 

numbered) that can represent routers, switches, flcjw probes, etc. that have interfaces (not shown) 

i j 

which maintain statistics on information passed through the interfaces. For example, a switch 
may have a number of Ethernet ports and a host could be connected to one of the ports and in 



I 

of the interfaces to transfer information over the network. The 



interface would have counters that are used to. track ["packet's in, jacket's out", Be bytes in, bytes 
out",] "packets in," "paclets out" "bvtes in." ''bvfes out." and so forth.-. 



Please replace the paragraph beginnin J on'page 13, line 12 with the following rewritten 
paragraph: ' 

~ In this case of the host connected to tbEe poh, or a router or some other device being 

| { i 

connected to the port, th^re is no other connectionj that the host, router or other device is aware of 
other than the entire network. This is an example !of a "connectionless [connectless] oriented" 
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i 

protocol. A data collector|52 can be disposed in the network in a path between the entities "A" 
and "B" such that the data collector 52 monitors some of the packets that comprise a flow 
between "A" and "B." aJ a single point monitor, the data collector 52 has no concept that there 
are two ends communicating. The data collector 52 identifies these entities U A" and "B" in 
various NARs produced t*V the data collector ^2. At a later stage in the processing, either in the 
data collector 52 or elsewhere in the accounting process 1 4 the NARs are correlated so that the 
NARs or some aggregated NAR produced by the data collector 52 or the rest of the accounting 
process 14 can be associated with the accountable entities "A" and "B" to thus identify a 
connection between entiti ss *'A M and "B."-- , ■: 

Please replace the paragraph beginning on page 14, line 23 with the following rewritten 

paragraph: ; 

Thus, the lata collector 52 is a jsingle point monitor[,] that monitors traffic at one 
point in the network and < inverts the traffic into [a] "pipe oriented" or "flow oriented" 
accounting information. Hie data collector 52 identifies a source and a destination of the traffic. 
That is, the data collector 52 develops a "correction oriented tracking" By distributing data 
collectors 52a-52g (FIG. 2) [through out] throughout the network^ the network can be modeled as 
pipes having two endpon its. A data collector can be disposed in a partial pipe. The data 
collector 52 determines t lat one end of the pi^e refers to "A" and the other end of the pipe refers 
to "B." The data collectc r 52 can be disposed' anywhere along the network.—. 



Please replace the paragraph beginning oripage 15, line 1 3 with the following rewritten 
paragraph: ) , 

— Some equipment have a half pipe model that [generate] generates independent accounting 

j ' 

records for each half pipe. The data collectors can assemble full pipe information from half pipe 
information. The accoun ting process 14 coulid bexoupled to equipment that gives a half pipe 
model for A communicating with B and a separate one for B communicating with A. The data 
collectors 52a-52g combine information from! these two half pipes into a bidirectional flow.--. 



Please replace the paragraph beginning on page 15, line 21 with the following rewritten 
paragraph: 



23! 
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Referring now to FIG. 6, an example of data flow 130 through the accounting process 14 
is shown. In this example tiie data flow 130 is initiated by a user 131 making a call to a remote 
access concentrator (RAC ) 132. Upon receiving the call, the RAC 132 authenticates the user 
131 against a secure access controller 134. , Afjer verification, the RAC 132 connects the user 
131 to the network 135 arid sends a RADIUS Start record (not shown) to the accounting process 
14. The accounting proceL 14 generates a RADIUS Start NAR 137a and stores the RADIUS 
[start] Start NAR 137a in \i database 62. At that point, the remote user may check e-mail, look at 
a web server and transfer 

traffic, generating [a] e-mjiil, http, and ftp networkjaccounting records 137b-137d, respectively. 
These are stored in the da (abase 62. Upon completion of these transactions the user would log 
out of the network, at whi ch time the RAC 131 would send the accounting process 14 a RADIUS 
Stop record. The accounting process 14 generatesja RADUIS Stop NAR 137e and stores the 
RADIUS [stop] Stop NA 1 137ei n the database 62. All of these records reflecting the user's 
transactions could be viewed and reported in flexible ways dependent on the needs of an end- 
user application.--. 



paragraph beginning on page 16, line 27 with the following rewritten 



Please replace the 
paragraph: 

- FIG. 7 has [at one level 152] a plurality of exclusively "Activity NARs" which could 
correspond to a very low level of detail, or cc|ildb°e the result of a prior aggregation providing a 
higher level view of the information. Thus, EIG. 7 shows a collection 152 of exclusively activity 

NARs. From base level llata, additional "vie%s" of the NAR could be produced, such as a set of 

ij * 

"Summary NARs" 1 54, or another set of Activity .NARs 156 which could be a result of further 
aggregation of the base level information, or ijastlj? a combination of a set of Summary NARs and 
Activity NARs 158. The summary NAR is produced by the central aggregation [layer] processor 

K il ' ^ 

60 and can include user identifying information, pprotocol information, connection time 

information, [and] data information, and so fi^rth.—. 

!' 

' } 

Please replace the paragraph beginniiig onjpage 21, line 13 with the following rewritten 

paragraph: *j . * 

i 
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The plurality of Ne twork Accounting Record Attributes 204a-204n provide metrics for 
the NAR 200. The Network Accounting Record Attributes 204a-204n capture specific 
information contained in data from network devices. Differentiating between the [entity 
identifier] Network Accot ntin F Record Identifier 202 and the metric 204 allows the accounting 
process 14 to perform logical and arithmetical -operations on metrics 204 while leaving the 
j>Tminti-c iA~n*}**+ 707^ Network Acfounting Record Identifier 202 intact. The 
[accounting identifier] Network Accounting Record Identifier 202 can be enhanced unlike the 
metrics 204 .—. \ 1 

Please replace the paragraph beginning on page 21, line 22 with the following rewritten 
paragraph: 

- The data collector 52a-52g (FIG. 2) are oriented around the process of filling in the 
NAR. The metrics are le: t untouched by the data collector and are passed transparently into the 
accounting process flow aggregation [process] processor 60. The data collectors 52a-52g assign 
the [accounting entity ideatifiers] Network Accounting Record Identifiers 202 to the metrics e.g., 
a source and a destinatioi i identifier to the metric. In the example of a router, link, the metrics 

that the router interface provides are in the fofm of 'Information in" and "information out" e.g., 

■ i 

octets in, octets out, bytes, in, bytes out a datagrams in, datagrams out, faults in, faults out, and so 

j ; j 

forth. The data collectors 52a-52g determine jwhat "in" and "out" [means] mean and assigns the 
unique identifier that is unambiguous relative; to the determined meaning of "in" and "out. ! 

i j i 

Once a data collector 52 has established this convention, the convention is used throughout the 
system 1 0.-. 

Please replace th^ paragraph beginning on page 33, line 17 with the following rewritten 
paragraph: ■ j 

Referring now to ,FTG. 1 5, a data collection process 330 performed by the flow data 
collector 52 of FIG. 17 is shown. The fiow| data collector receives 332 data from the equipment 
interface for [an] a network device. The flow data collector performs an equipment interface 
specific translation to convert 336 the received data into NAR format as well as populates the 
NAR header. Once the NAR is populated with the appropriate data, the flow data collector 52 
attempts to correlate 338 the newly populated NAR with the other NARs. That is, the flow data 
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collector 52 compares the newly populated NAR to NARs currently stored in the local store 3 14 
(from FIG. 14) to determine if there are multiple instances of the same object. Specifically, 
correlation is performed bV examining the ACCT_EIfTITY_ID (from FIGS. 1 1A-1 IE).-. 

i 

Please replace the paragraph beginning on page 37, line 27 with the following rewritten 

: 

paragraph: j j 

The flow aggregation processor (FAP) 60 (Fl£. 2) aggregates and/or enhances record 
data across the system 10J It receives data from multiple flow data collectors (FDCs) that may 
be aggregating and enhan :ing close to the source of the information (as described above with 
reference to FIG. 1 7). aJ NARs are received from multiple FDCs, the data can be further 
enhanced and/or reduced lie. aggregated) to meet the specific needs of an application or output 
interface based on the aggregation policy of the flow| [data] aggregation processor 60 (FAP). 
The design and operation 



of the FAP will be described in more detail below.- 



i 

Please replace the paragraph beginning on palge 41, line 6 with the following rewritten 
paragraph: 

These two records NARl, NAR2 are combined through correlation 442 (from [FIG] FIG. 
17) and enhancement 44^ (FIG. 17) to generate an enhanced NAR2 532. This enhanced NAR 



has a modified accountab le entity identifier 534 and 



a metric. The modified accountable entity 



identifier is the existing accounting entity ID 514, to which the FAP has added the IP-to-[user 
name] username assignment [512] from the accounting entity ID 512 of the NAR1 508.--. 

Please replace thJ paragraph beginning on page 41, line 13 with the following rewritten 
paragraph: j j 

- Still referring to FIG. 1 8, the NARl 508 has |an IP-to-usemame mapping 5 12 and an 
accounting interval 5 1 6 comprising a start time and ^ session time to indicate a time interval 
bounded by start time tfi T*r anda start time -^session time CT2"), that is, the accounting interval 

i '* ' 

represents a start time and a stop time. The username 524 in the IP address-to-username 
mapping is supplied by the DHCP server 500i In the FAP, this NARl information will either go 
directly to a correlation Amotion or to the local store (which could either be a database, file or 
memory), where it can be directly accessed by the correlator function. The NAR2 5 1 0 has an 
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accounting entity ID 5 14, a T3-tofT4 accounting time interval 5 1 8 and a metric 530. The 
accounting entity identified 514 has two IP addresses 526, 528, one corresponding to a source IP 
address and the other corresponding to a destination IP address. The NAR2 [502] 510 is passed 
to the correlator 442, whiJh determines that the Tl-to-T2 time interval 516 from the IP-to- 



usemame address map in 
interval 518 of theNAR2 



he NAR1 508 overlaps or in some way relates to the T3-to-T4 time 
510. The correlator 442 determines that Tl, T2, T3 and T4 are related, 



and that the IP address 52$! in the, IP-to-usemame address mapping 512 is associated with one of 



the two IP addresses 526, 



528 in the NAR2 510. Thus, the FAP enhances the NAR2 510 by 
inserting information from the accounting entity ID 512 (of NAR1 508) into the accounting 
entity ID portion of the NJ\R2 510. The resulting, enhanced NAR2 532 has an enhanced 

hat includes the T3-to-T4 timestamp (not shown), the IP-to-IP 
528 and the usemame 524: Thus, the enhanced NAR2 now has a 



accounting entity ID 534 
addresses [526-528] 526, 



mapping between the use name and the one of the IP addresses 526, 528 that is related to the IP 
address 522, The metric 530 is unchanged.- : 

! 

Please replace theparagraph beginning on page 49, line 20 with the following rewritten 
paragraph: 

As discussed abo> e in reference to FIG. 2, the accounting process supports a flow probe 
e.g., 12c that captures a u ser's network activity for purposes of IP accounting. The flow probe 
12c monitors all traffic over a given network link and captures data associated with the different 
flows in the traffic on thai: link. It is capable of monitoring IP data flows over a number of 
technologies (e.g., Ethernet, Asynchronous Transfer Mode (A TM), FDDI, etc.).—. 



03 
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Please replace the* paragraph begnminjg on page 51, line 9 with the following rewritten 

! : 
paragraph: * 

Generally, a flow'is defihed as any communication between communicating entities 

identified by an IP address, a protocol and a service port. All IP packets (or datagrams) are 

! i 

categorized using the fields present in the packets themselves: source/destination IP addresses, 
the protocol indicated in the IP lieader PROTO field, and, in the case of User Datagram Protocol 
(UDP) or Transmission Control Protocol (T CP\ by the packet's source and destination port 
numbers.—. ; 
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Please replace the paragraph beginning on pa^e 58, line 20 with the following rewritten 

1 ' i 1 

paragraph: j ; \ \ ! : 

The flow probe reports oil network traffic activity through a flow probe NAR, which 
reports IP flow traffic actitoty. The flow probe categorizes network traffic into one of four 
classes of traffic flow: connection orientek (e.gl.jTCP); ii) new connectionless; iii) 
request/response connectionless (e.g., TT^nitagram Protocol fUDPl Domain Name System 
£DNSD; and [iii]iv) connectionless persistent (e.g. s Network File System (NFS\ Multicast 
BackBONE, or "MBONE" multicast traffic). |to each of these [class] classes it applies 
connection oriented semantics for a uniform approach to status reporting. That is, the flow probe 
treats these dissimilar transaction models as if they were the same. There is one uniform 

f I I ! 

structure for the status reports generated for each of the 4 different transactions. Each status 

report includes transaction start and stop information; media acces s control (MAC) and IP source 

and destination addresses, the IP; options that jvere seen, the upper layer protocol used, and the 

transaction source and destination byte and packet cdunts and upper layer protocol specific 

1 i ■ ' 

information. The protocol specific informatioii anditne criteria for when the status reports are 

createdM is different for each of the four transaction types.-. 

: ! H 

Please replace the paragraph beginning on jiajje 63, line 23 with the following rewritten 
paragraph: j. | j • 

For some protocols that permit wrap around^jthe packet loss detector process 704 tests 
718 if the sequence number has wrapped around e.g;j gone from 32 bits of all ones to 32 bits of 
all zeros- The [IP SEC] I PSec Authentication packets currently do not permit wrap around, so 
test 718 would not be necessary (for [IP SEC] 



IPSed -Authentication Headers. If for other 



protocols (or latter versions of the [IP SEC Authenication] IPSec Authentication protocol), the 
packet loss detector process 704; detects a wmp arofuind condition^ then there has not been any 

packet loss and the packet is dropped The packet loss detector process 704 will update 712 the 

' i-" 

stored sequence number W that! flow in the dache. ! If the sequence number is any other number, 
i.e., it did not turn over to all zeros, then there may have been packet loss. If there may have 

been packet loss, the packet loss detector process ^jjj4 can determine how many packets have 

! ' i 

been lost by determining bow many sequence numbers are missing.™. 
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Please replace the paragraph beginning tm pajgb 66, line 15 with the following rewritten 

! , !i ! 

paragraph: i j; \ 

An important component of quality of servic|f includes determining whether there has 
been packet loss. The packet detector monitor descried in conjunction with FIGS. 29A and 29B 
can be used to access paciet loss: The packet ^election monitor 702 can be deployed in the 
network and generate NAfes that can be used to det|mine packet loss as discussed above. This 
information can be used ill the capturing quaii ty of service process 730 to assess whether the 
policy specified by the se::vice level agreement was |ppvided to the customer. Additionally, so 
called Differentiated Serv ice "[DivServe] DiffServ technology" that a known quality of service 
solution that has been pro posed for the Internet as wssll as enterprise networks. In contrast to a 
per-flow orientation of so toe types of quality of sen/ice solutions such as Integrated Services 
ant-servl and Resource Reservation Setup Protocol IfR SVP). Diffserv enabled networks classify 
packets into one of a small number of aggregated floors or ''classes", based on bits set in the type 
of service (TOS) field of sach packet's IP healder. liis [is a] quality of service technology for IP 
networking is designed t< lower the statistical probability of packet loss of specific flows. The 
capturing quality of service process 730 establishes [DivServ] DiffServ policvM that is 
decomposed into a collec tion of [DivServ] DifiSeri configurations. The [DivServ] DiffServ 
configurations are deployed to a collection of routei^ or switches that the customer would have 



access to in the network 



traffic because of the use 
in which the [DivServe] 
policies are generally deployed at the source 
destination port level 



1 as part of the enforcement/deployment process 732. Because packet 
loss is a statistical phenomenon, the capturing jquality of service process 730 observes 736 a large 
number of network flows . The capturing qualjty ofjservice process 730 can observe network 

of the accounting process jl<4 and the resulting NARs at the granularity 

i ! \\ - lj 

DiffServ policies a^actually being deployed. The [DivServe] DiffServ 
;ihd destination IP address, protocol and possibly 



\ 



Please replace the paragraph beginnn] g on page 68, line 19 with the following rewritten 



I 
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provisioning 752 is to send requests 752b to|th,e polity server 754 to obtain an appropriate active 
policy, and [obtaining] to obtain ijules and domain information 754a from the policy server. The 
provisioning system can communicate with Appropriate network management systems and 
element management syst :ms (ndt showrj) to donfiglire the network 10 for an end-to-end service. 
When the configuration 7*2a is deployed at : the various network devices (not shown) [at that 
point], the service is prodiced. The level of service|s monitored or audited by the accounting 
system 756 which can be Ihe accounting process 14;aescribcd above. The accounting process 14 
monitors the level of serv ce by producing appropriate [newtork] network accounting records. 
The [newtwork] network jiccounting records £NARs!)[ are used by a billing application to adjust 
billing based on the level of service that was provided as determined by the accounting [system] 
process 14. The accounti lg [system] process 14 also can compare the policies produced by the 
policy server to the actual levels of service provided to the customer by examining NARs that are 

produced by the customers usage of the netwbrk.— : 

i 

i ] !: 

Please replace the paragraph beginning on page 69, line 12 with the following rewritten 

i !' 

paragraph: j , j j. 

— In addition, levels of service migjit change, and the system takes changes into account so 
that the service management can! modify the cjhargejior account differently for those changes in 
levels of service. The seivice accounting alsd uses the active policy information from the policy 

j • ' i i' 

server to deliver billing iriformation to a billing system or to a chargeback system that can [may] 
make adjustments to billijigs for the service.--!. [ 1 



Please replace thej paragraph beginning on fjiage 69, line 19 with the following rewritten 
paragraph: ; ; ! 

is [build] built on the capabilities of address 

il 

[ so forth. Essentially in a policy enabled network, 



A policy [enable network] server 754 
management, domain name management and 



policy [services] servers produce a set of rules and [applys] apply those rules to a domain or 
problem set. The policy server communicates the Jjiles to the accounting process 14 so that the 
accounting process 14 caai determine what Jrind of ijecords to generate. All of the information is 
described using data flows.--. ! 
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Please replace the paragdph beginning on page 69 s line 27 with the following rewritten 

paragraph: I j 

As an example, a service contract may specify that a company "X" will be given 100% 



availability of a particular 



i 

network device e;g., a router (not shown) and its corresponding 



service. In order to assure that level of service, the rjolicy server 754 sends that requirement in a 
template to the provisioning service 752 to produce a configuration file 752a to configure the 
router to give company 4™ preferred use [fo] of thJ router. Therefore, every time a packet from 
company ["X's"] "X'"s network comes across the router, the packet will always be transmitted 
unless there is something Urong ; with the router. This may occur even if a packet of company 



tc Y" a which has a lower service level that ccjmpany 



[transmitted] transmitted The packet from company "Y" will wait because company "Y" is not 



company U X" contracted 



paying for the quality of service that company "X" is paying for.--. 

\ 

Please replace the paragraph beginning on page 70, line 13 with the following rewritten 
paragraph: 

In that case, the p o visioning service [configures] 752 configures the policy enforcement 
mechanism that was put into the router in tijie network. How the policy was defined to the 
provisioning equipment i % that there is a orie-to-one 
accounting process 14 will monitor in the network. 



X" 4 is waiting in the router to be 



to have 100% availability from the router.—. 



relationship between the policy and what the 
The accounting process 14 will be aware that 



Please replace th^ paragraph beginning on page 70, line 20 with the following rewritten 
paragraph: 

■i 

The accounting process 14 will then take every source of information it has available and 
will construct an accounting record that reflects the level of service actually delivered to 
company "X." The accolnting records [produce] p roduced are relative to [the] two components, 
i.e., the router and the customer. The accounting process 14 is flexible and can generate 

accounting records of any flow abstraction} In [this] the service management feedback process 

1 ! ' 

750, the policy server 754 sends a flow bailed policy to the provisioning [server] service 752. 
The provisioning [server] service 752 uscs;*a flow based policy to configure the network. That 
same flow based policy te passed to the accounting process 14 A which can generate [network 
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accounting recordsl NARs having metrics that can be used to match the same level of those 
flows. The output of the ^counting [pioc^s] process 14 will determine whether the quality of 
service, availability, etc. fjiat was contracted for in the contract 751 was provided. Therefore, the 
service management feedbac k process 750 jirovides the level of service that was delivered at the 
same semantic level as th^ actual contract-4 

! i 

Please replace the 'paragraph beginrring on page 71, line9 with the following rewritten 

I 

paragraph: ! 

of service as audited by the accounting process 14 includes detecting 
i of the components managed by the service 



Capturing quality 
[of] packet loss, as mentioned above. Each 



management feedback pricess 750 [require] requires information. Therefore, the [service] 
provisioning service 752 has to provision these various quality levels. The policy server 754 A 
thus, keeps what is essentially enforcementjof the levels of quality that are offered by different 
service types, and the accounting process 7156 detects, monitors and audits whether those classes 
in quality of service are b eing delivered.—. ! 

i 

, j 

Please replace the paragraph beginning on page 71, line 19 with the following rewritten 
paragraph: j h 

- Referring to FIG.J32, an implementation of the [service management] provisioning 
service 752 is shown. Tlje provisioning service [management provisioning] 752 extends 
concepts of device management and network management into a service management layer of 
functionality. [Service management] The {provisioning service 752 includes a provisioning core 
782, provisioning modulL 784, and element managers 786. [Service] The provisioning service 
752 is user focused rathe?: than network foqused^ as;in conventional network management. 
Network management involves communication with network systems and equipment. [Service] 
The provisioning service 752 is [orient] oriented more towards a user and a user's concepts of 
services. [Service] The jbrovisioning service 752 provides an additional layer of abstraction that 
relates the description of services at a user level to a network's ability to provide those end-to- 
end services. The architecture 780 of [service] provisioning service 752 is a multi-device 788 at 
the bottom of the architecture and multi-service 790 at the top of the architecture. The [service] 
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provisioning service 752 is deployed to write commands to the network systems, i.e., [network 
elements] multi-devices 788 [inorder] in order to change the configurations of those systems.-. 

Please replace the paragraph beginning on page 72, line 9 with the following rewritten 
paragraph: 

Since many end customer services now require that a network operate with multiple[, 
different] kinds of network elements in order to provide an end-to-end service, the [service] 
provisioning service 752 simplifies producing information that is necessary for a service provider 
to translate a service order from a customer to a network configuration, i.e., all commands 



necessary for all the diffe: 



rent elements in the network in order to create an end-to-end service.—. 



paragraph beginning on page 72, line 17 with the following rewritten 



Please replace thej] 
paragraph: 

The [sexvice] provisioning service 752 guilds on existing systems. That is, in the lower 
layers there are existing element managers that have a configuration management system to 
configure at the network ayer. The [service] provisioning service 752 adds layering over the 
conventional network [mmagment] management layer. [Service provisioning] The provisioning 



service 752 maps a custo: 



ner specified [end to end] end-to-end service to the network elements 



that are [required] require d to produce that end-to-end service. Mapping of a customer's service 
orders into the state of th is network can have various pieces of workflow necessary to create or 
completely activate this service order. 
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In the claims; ' 

Please amend clajms 1 as follows: 
1 . (twice amended) A mbthod of transmitting accounting records in an accounting system that 
produces information pertaining to network traffic flow comprising: 

collecting data from a network device by a data collector associated with the network 
device and producing accounting records from the data; 

transmitting the accounting records' to first and second flow aggregation processes, with 
transmitting further comprising for each flow aggregation process: 
storing in the data collector ; the accounting records; 
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transmitting the accounting records to the flow aggregation process; and 
awaiting ari acknowledgment signal from the flow aggregation process that the 

flow aggregation process ieceived the accounting records before discarding the accounting 

records sent to the flow aggregation process. 
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